Annex 
Cybersecurity Fortification Initiative 2.0 


The HKMA has conducted a holistic review of the Cybersecurity Fortification Initiative 
(CFI) taking into account 1) the experience gained in the past few years; ii) feedback of 
authorized institutions (Als) obtained via an industry survey and interviews with 
selected institutions; and iii) overseas developments and new practices. The HKMA 
then issued a consultation paper in January 2020 putting forward a set of 
recommendations to enhance the three pillars of the CFI. Two workshops were 
conducted with members of the Hong Kong Association of Banks (HKAB), one in 
March and another in June, to discuss the industry feedback received during the 
consultation. 


A revised CFI, or CFI 2.0, is subsequently developed, having regard to the findings of 
the review. The revised framework aims to simplify the assessment process while 
maintaining effective control standards that are commensurate with latest technology 
trends. Substantial efforts will be made to expand the talent supply and encourage cyber 
threat intelligence sharing across the industry. Details of the major enhancements are 
set out below. 


C-RAF 2.0 — Risk assessment 


e Introduction of new and enhanced control principles reflecting recent international 
sound practices in cyber incident response and recovery, as well as latest technology 
trends (e.g. cloud technology and virtualisation security); 

e Introduction of Blue team requirements for iCAST to measure the effectiveness of 
detection, response and recovery functions of Als; 

e Allowing more flexibility for Als to leverage the results of similar cyber resilience 
assessments performed by their banking groups or headquarters; 


PDP —-Talent Development 


e Updating and expanding the list of acceptable cyber professional qualifications for 
conducting C-RAF assessments, including new iCAST threat intelligence 
qualifications (see below Table); and 


CISP — Information Sharing 


e Recommending the development of a target operating model to improve the user- 
friendliness of CISP by outlining the governance, roles and responsibilities of users; 

e Expanding the CISP membership to on-board members of the DTC Association and 
other financial sectors. 


List of equivalent qualifications 














iCAST Role CREST Equivalent Qualifications 
Certification 
C-RAF Assessor | N/A e ISACA’s Certified Information Systems Auditor (CISA) 
e (ISC)2’s Certified Information Systems Security 
Professional (CISSP) 
e ISACA’s Certified Information Security Manager (CISM) 
e ISACA’s Certified in Risk and Information Systems Control 
(CRISC) 
e ISACA’s Cybersecurity Fundamentals Certificate (CSX-F) 
and Cybersecurity Nexus Practitioner Certification (CSX-P) 
e China Information Technology Security Evaluation Centre’s 
Certified Information Security Professional — Hong Kong 
(CISP-HK) 
e EC-Council’s Certified Ethical Hacker (CEH) * 
iCAST CREST e HKIB’s CCASP - Certified Simulated Attack Manager 
Manager Certified e GIAC Penetration Tester (GPEN) and GIAC Exploit 
Simulated Research and Advanced Penetration Tester (GXPN) 
Attack e Offensive Security Certified Expert (OSCE) and 
Manager Offensive Security Exploitation Expert (OSEE) 
(CCSAM) 
iCAST Threat CREST e HKIB’s CCASP — Certified Simulated Attack Manager 
Intelligence Certified e GIAC Penetration Tester (GPEN) 
Specialist Threat e GIAC Exploit Research and Advanced Penetration Tester 
Intelligence (GXPN) 
Manager e OSCE 
e GIAC Cyber Threat Intelligence (GCTI) * 
pete d e McAfee Institute’s Certified Cyber Intelligence 
Professional (CCIP) * 
Threat 
Intelligence 
Analyst 
(CRTIA) * 
iCAST CREST e HKIB’s CCASP — Certified Simulated Attack Specialist 
Specialist Certified e GPEN and GXPN 
Simulated e OSCE and OSEE 
Attack e eLearmSecurity Certified Penetration Tester eXtreme 
Specialist (eCPTX) * 
(CCSAS) e eLearnSecurity Web Application Penetration Tester 
eXtreme (eWPTX) * 
e PentesterAcademy's Certified Red Teaming Expert 
(CRTE) * 
iCAST Tester CREST e HKIB’s CCASP - Certified Infrastructure Tester 
(IT Certified e GPEN 
infrastructure Infrastructure e OSCE 
testing) Tester (CCT e OSCP * 
Infra) e eLearnSecurity Certified Professional Penetration Tester 











(eCPPT) * 

eLearnSecurity Web Application Penetration Tester 
(eWPT) * 

PentesterAcademy’s Certified Red Teaming Professional 
(CRTP) * 

ISACA's CSX Penetration Testing Overview (CPTO) 
Certificate * 





iCAST Role 


iCAST Tester 
(web 
application 
testing) 








CREST 
Certification 
CREST 
Certified 
Web 
Applications 
Tester (CCT 
Web App) 





Equivalent Qualifications 


HKIB’s CCASP — Certified Web Applications Tester 
GIAC Web Application Penetration Tester (GWAPT) 
Offensive Security Web Expert (OSWE) 

OSCP * 

eLearnSecurity Certified Professional Penetration Tester 
(eCPPT) * 

eLearnSecurity Web Application Penetration Tester 
(eWPT) * 

PentesterAcademy’s Certified Red Teaming Professional 
(CRTP) * 

ISACA's CPTO Certificate * 








Additions to the equivalent qualifications are marked with an asterisk (*). 





